ClawHub

Cutter Online

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cloud video-cutting skill, but users should understand that media and URLs may be sent to NemoVideo's remote service for processing.

Install only if you are comfortable sending videos, audio, images, or provided media URLs to nemovideo.ai for cloud processing. Avoid highly sensitive personal or workplace media unless you trust that service's privacy and retention practices, and treat NEMO_TOKEN as a credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is marketed as simple video cutting, but the implementation exposes a substantially broader remote media-editing surface including overlays, audio/BGM handling, state inspection, and export orchestration. This capability mismatch can cause users or routing systems to grant the skill access and trust under narrower assumptions than its actual behavior, increasing the chance of unintended data processing and overbroad activation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The upload workflow permits URL-based ingestion of arbitrary remote media, which expands the trust boundary beyond user-supplied file uploads. This can enable fetching unexpected third-party content, internal resources if backend protections are weak, or copyrighted/private assets without clear user understanding, making the skill more dangerous than its stated purpose suggests.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation examples and routing language are broad enough that the skill may activate for generic editing or media-related requests outside a narrowly defined 'video cutting' task. Overbroad triggering increases the risk of accidental invocation, unnecessary transfer of user media or prompts to a third-party backend, and confusion about what actions the skill will take.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages users to send video clips but does not prominently warn that those files are transmitted to a remote cloud backend for processing. Because videos often contain sensitive personal, workplace, or biometric information, missing disclosure undermines informed consent and can lead to unintentional exposure of private media to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal